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Purpose 


The Regulatory Panel (“the Panel”) will be convened at the 
recommendation of the Commissioner, or at the instigation of the 
decision maker. The Panel will make recommendations to the 
decision maker in any specific case. The decision maker will be the 
Commissioner or the appropriate person to whom the 
Commissioner has delegated authority, in line with the Scheme of 
Delegations. 


The Panel’s purpose is to make independent recommendations to 
the decision maker regarding proposed regulatory action as a 
result of breaches of legislation by data controllers or data 
processors. This may include consideration of the range of fines 
and other corrective measures which it would consider to be 
appropriate in all the circumstances. 


The Panel will usually advise on cases relating to breaches of the 
Data Protection Act 2018 (DPA18), General Data Protection 
Regulation (GDPR) or Network Information Systems (NIS) 
regulations, where the |CO’s Penalty Setting Meeting (PSM) 
recommends a fine in excess of £5m, or in circumstances where 
any proposed penalty or regulatory action is likely to cause a very 
significant financial impact on the recipient’s business model. The 
Commissioner or decision maker may also choose to consult the 
Panel on other proposed regulatory action under DPA 18 (and 
GDPR) or NIS not falling within the above circumstances where 
they consider it appropriate to do so. 


The Panel will not consider cases in relation to any other legislation 
which the ICO regulates. 


The Panel is advisory and makes recommendations to the decision 
maker but does not itself take the final 
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To fulfil this purpose, the Panel convenes in applicable cases after 
a Notice of Intent (NOI) for a fine or preliminary enforcement 
notice (PEN) has been issued and representations received in 
response. 


The panel is responsible for: 


e considering whether the fine (and/or any corrective measures) 
are effective, proportionate and dissuasive. It will do this by: 


o assessing the evidence in the case; 


o applying all relevant considerations of the relevant 
legislation; 


o taking into account the recommendations of the Penalty 
Setting Meeting; 


o reviewing previous regulatory action taken by the ICO to 
ensure that the proposed action is consistent in scale and 
scope with previous action; and 


o considering any representations already received from 
organisations regarding the NOI/PEN. 


The proposed recipient of the fine and/or corrective measures is 
not permitted to attend the meeting of the Panel. 


The Panel will then recommend to the decision maker the range of 
fine and/or corrective measures which it would consider to be 
appropriate. 


The Panel will not usually meet when Article 60 of GDPR (or other 
similar legislation) applies to the case in question. The 
Commissioner has determined that the Article 60 process provides 
sufficient independent scrutiny and advice on proposed regulatory 
action that additional input from the Regulatory Panel will not 
generally be required. 


Authority 


The Panel makes recommendations to decision makers and has no 
decision-making power of its own. 
Composition 


Each meeting of the Panel comprises three members, drawn from 
a pool of potential members. Members are appointed to this pool 
by the Commissioner. The membership pool will be a mix of: 
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e A Non-executive Director of the |CO’s Management Board, who 
will chair the meeting; 


e |CO staff (at Level G2 or above); and 


e External members as subject matter experts. This may include, 
but is not limited to, members of the |CO’s advisory panels?. 


Members for each meeting of the Panel will be selected based on 
the areas of expertise required to consider the case and panel 
member availability. 


ICO staff representatives on any Panel will not have been involved 
in, or responsible for, any part of the investigation of the breach. 
Panel members will be asked to make a declaration of this at each 
meeting. 


All members of the pool are considered to be an agent of the 
Commissioner and as such are subject to the provisions within 
section 132 of the DPA 18 regarding confidentiality of information. 


All potential panel members will be advised of the cases that will 
be considered at each meeting and required to disclose any 
potential conflicts of interest with respect to the parties involved in 
each case. 


Quorum 


All three members of the Panel must be present for the meeting to 
be quorate. Members may attend the panel virtually (e.g. by video 
or teleconference). 


Information requirements 


The Panel should ensure that arrangements are in place to enable 
it to discharge its responsibilities effectively, including the timely 
provision of information in an appropriate form and quality. The 
Chief Regulatory Officer is responsible for ensuring that the Panel 
is provided with the information required. 


Budget 


The Panel has no budget. Any spending required will be funded 
from the relevant Service’s budget. 


Secretariat 


1 E.g. Technology advisory panel 
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Secretariat is provided by the Corporate Governance Team. 


Secretariat will produce a record the Panel’s recommendation to 
the Commissioner and the reasoning behind it. 


Frequency of meetings 


The Panel will meet whenever required by the ICO’s proposed 
regulatory action. 


Evaluation 


The Panel should ensure that arrangements are in place to enable 
it to discharge its responsibilities effectively, including a regular 
formal evaluation of the Panel’s performance. 


Publication of papers 

Agendas, reports and minutes of Panel meetings will not be 
published, either internally or externally. 

Links to other forums 


When considering individual cases, the Panel will report directly to 
the decision maker. 


When considering matters of consistency between cases, or similar 
issues, the Panel will report to the Commissioner or Chief 
Regulatory Officer as appropriate. 


